chicksdaddy writes: "A presentation at the Passwords^12 Conference in Oslo, Norway (slides: https://hashcat.net/p12/), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.

Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,” he wrote. Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt."

Should we be that worried for Linux ? A 12-char long password encrypted with md5 would still require in the order of 10^7 seconds to crack, i.e. about 110 days or almost 4 months. Another way to look at it is to say that it is 400.10^9 / 77.10^6 = 5000 times slower to crack linux passwords than windows ones. The quoted 6 minutes extend to 21 days, which is a little short.